How to configure FreeBSD to redirect all DNS requests to other DNS.
We have set up FreeBSD as router for our company. We have two cards, one for lan and second for WAN whic is configured as Public static IP adress.
What I want to do is:
When some client inside our network 192.168.0.1/32 call DNS request to our old DNS server, FreeBSD is going to forward that request to other one DNS server.
Is that possible ?
Where I need to put that rule ?

3 Answers
3

If you're running BIND on the that router, you can easily configure it to forward all requests to the appropriate external DNS server. Depending on what firewall you're running you can also easily forward packets to that router's named. The problem is going to be that the router is answering the request now, and the client expects another server to answer the request; this would appear like a classic cache poisoning attempt and many newer clients will reject it. If you want to try it and you're running IPFW, add something like this:

ipfw add 00010 fwd localhost ip from {lan} to any dns

(Note you need a kernel compiled with options IPFIREWALL_FORWARD for this to work.)

You're best option as others have mentioned is to configure your DHCP to issue the new address (or the router's and setup forwarding there, this would also reduce external network traffic potentially, as it will cache some of the DNS queries). Then log anyone who's still using any external DNS.

This is possible, but probably more work than needed.
The short and dirty way would be to use an netcat command, and a more permanent one would be to use a forward statement in iptables (i beleive that is for BSD as well)

Another solution would be to setup the new server with a virtual address for the old servers ip (en0.0 or some such thing).

The best solution would probably be to change the DHCP server to serve the new DNS IP, and change any hard set servers to the new IP.

You should close old DNS server and block DNS traffic from internal LAN to external DNS, so your users have no other choices.

A less drastic solution, maybe discover which users are using external or old DNS (analysing traffic or firewall logs) and notify to these users that old DNS will be shutdown and than close the old DNS.